United States Government Accountability Office GAO Testimony Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives For Release on Delivery Expected at 10:00 a.m. EDT Thursday, September 25, 2008 NUCLEAR SECURITY Los Alamos National Laboratory Faces Challenges In Sustaining Physical and Cyber Security Improvements Statement of Gene Aloise, Director Natural Resources and Environment Nabajyoti Barkakati, Chief Technologist Applied Research and Methodology Gregory C. Wilshusen, Director Information Security Issues GAO-08-1180T September 25, 2008 NUCLEAR SECURITY Accountability Integrity Reliability Highlights Highlights of GAO-08-1180T, testimony before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives Los Alamos National Laboratory Faces Challenges in Sustaining Physical and Cyber Security Improvements Why GAO Did This Study What GAO Found Los Alamos National Laboratory (LANL) is one of three National Nuclear Security Administration (NNSA) laboratories that designs and develops nuclear weapons for the U.S. stockpile. LANL employees rely on sensitive and classified information and assets that are protected at different levels, depending on the risks posed if they were lost, stolen, or otherwise compromised. However, LANL has experienced several significant security breaches during the past decade. Physical security at LANL is in a period of significant improvement, and LANL is implementing over two dozen initiatives to better protect its classified assets. However, while LANL’s current initiatives address many physical security problems previously identified in external security evaluations, other significant security problems have received insufficient attention. In addition, the management approaches that LANL and NNSA intend to use to sustain security improvements over the long term are in the early stages of development or contain weaknesses. Furthermore, LANL’s ability to sustain its improved physical security posture is unproven because (1) the laboratory appears not to have done so after a significant security incident in 2004, with another significant security breach in 2006, and (2) NNSA’s Los Alamos Site Office—which is responsible for overseeing security at LANL—may not have enough staff or the proper training to execute a fully effective security oversight program. GAO’s report made recommendations to help further improve physical security at LANL and ensure that these improvements are sustained over the long term. This testimony provides GAO’s (1) views on physical security at LANL, as discussed in Los Alamos National Laboratory: Long-Term Strategies Needed to Improve Security and Management Oversight, GAO-08694 (June 13, 2008); (2) preliminary observations on physical security at Lawrence Livermore National Laboratory; and (3) views on cyber security at LANL as discussed in Information Security: Actions Needed to Better Protect Los Alamos National Laboratory’s Unclassified Computer Network, GAO-08-1001 (Sept. 9, 2008). To conduct this work, GAO analyzed data, reviewed policies and procedures, interviewed laboratory officials, and conducted site visits to the two laboratories. To view the full product, including the scope and methodology, click on GAO-08-1180T. For more information, contact Gene Aloise at (202) 512-3841, or aloisee@gao.gov; Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov; and Nabajyoti Barkakati at (202) 512-6412 or barkakatin@gao.gov. As a result of poor performance on an April 2008 physical security evaluation conducted by the Department of Energy’s (DOE) Office of Independent Oversight, GAO is reviewing physical security at Lawrence Livermore National Laboratory (Livermore). GAO’s preliminary observations are that Livermore appears to experience difficulties similar to LANL’s in sustaining security performance. Furthermore, it appears that NNSA has not always provided effective oversight of Livermore. Specifically, an NNSA security survey conducted only 6 months prior to the April 2008 DOE evaluation gave Livermore the highest possible rating on its security program’s performance. These results differ markedly from those documented by DOE’s Office of Independent Oversight. LANL has implemented measures to enhance cyber security, but weaknesses remain in protecting information on its unclassified network. This network possesses sensitive information such as unclassified controlled nuclear information, export control information, and personally identifiable information about LANL employees. GAO found vulnerabilities in critical areas, including (1) identifying and authenticating users, (2) encrypting sensitive information, and (3) monitoring and auditing security policy compliance. A key reason for these information security weaknesses is that the laboratory has not fully implemented an information security program to ensure that controls are effectively established and maintained. Furthermore, deficiencies in LANL’s policies and procedures raise additional concern, particularly with respect to foreign nationals’ accessing the network from the laboratory and remotely. Finally, LANL cyber security officials told GAO that funding to address some of their security concerns with the laboratory’s unclassified network has been inadequate. However, NNSA officials asserted that LANL had not adequately justified its requests for additional funds. GAO made 52 recommendations to help strengthen LANL’s information security program and controls over the unclassified network. United States Government Accountability Office Mr. Chairman and Members of the Subcommittee: We are pleased to be here today to discuss physical and cyber security at Los Alamos National Laboratory (LANL). LANL, located in Los Alamos, New Mexico, has a multibillion dollar annual budget and is one of three National Nuclear Security Administration (NNSA) laboratories responsible for designing and developing a safe, secure, and reliable nuclear weapons deterrent.1 In fiscal year 2007, LANL budgeted nearly $200 million to provide the laboratory with physical and cyber security to protect the sensitive and classified assets on which laboratory employees rely to conduct their work. A successful physical or cyber attack on NNSA sites containing nuclear weapons, the material used in nuclear weapons, or information pertaining to the people who design and maintain the U.S. nuclear deterrent could have devastating consequences for the site, its surrounding communities, and the nation’s security. Because of these risks, NNSA sites need effective physical and cyber security programs. Over the last decade, LANL has experienced a series of high-profile security incidents in which sensitive assets and classified information were compromised. In October 2006, during a drug raid on a private residence, it was discovered that a LANL contract employee had transferred classified information to a USB “thumb drive” and removed the thumb drive, as well as a large number of classified documents, from the laboratory. The Department of Energy’s (DOE) Inspector General reported that a serious breakdown in core laboratory physical and cyber security controls contributed to the October 2006 thumb drive incident.2 More recently, in April 2008, DOE’s Office of Independent Oversight conducted an evaluation of security at Lawrence Livermore National Laboratory (Livermore). The evaluation included a mock terrorist attack on a sensitive laboratory facility and concluded that Livermore’s security program had significant weaknesses, particularly with respect to the performance of Livermore’s protective force and the physical protection of classified resources. 1 The other design and development laboratories are Lawrence Livermore National Laboratory in Livermore, California, and Sandia National Laboratories in Albuquerque, New Mexico, and Livermore, California. NNSA is a separately organized agency within the Department of Energy that is responsible for the management and security of the nation’s nuclear weapons, nuclear nonproliferation, and naval reactors programs. 2 U.S. Department of Energy, Office of Inspector General Office of Audit Services, Special Inquiry Report to the Secretary: Selected Controls Over Classified Information at the Los Alamos National Laboratory, OAS-SR-07-01 (Washington, D.C., Nov. 2006). Page 1 GAO-08-1180T Security at DOE National Laboratories As a result of the October 2006 thumb drive incident and the congressional hearings that followed, the Committee asked us to review physical and cyber security at LANL. In addition, in June 2008, this Committee requested that we review the status of physical security at Livermore. Our testimony today discusses (1) physical security at LANL, (2) preliminary observations from ongoing work on physical security at Livermore, and (3) cyber security at LANL. This statement is primarily based on recently issued reports on physical and cyber security at LANL.3 We conducted the performance audit work that supports this statement in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to produce a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our statements today. Summary Physical security at LANL is in a period of significant improvement, and LANL is implementing over two dozen initiatives to better protect its classified assets. However, while LANL’s current initiatives address many security problems previously identified in external evaluations, other significant security problems have received insufficient attention. For example, at the time of our review, LANL had not implemented complete security solutions to address either the storage of classified nuclear weapons parts in unapproved storage containers or weaknesses in its process for ensuring that actions taken to correct security deficiencies are completed. Furthermore, management approaches that LANL and NNSA officials told us they would use to sustain security improvements over the long term were in the early stages of development or contained weaknesses. In addition, LANL’s ability to sustain its improved physical security posture is unproven because (1) the laboratory appears not to have done so after a significant security incident in 2004, and (2) NNSA’s Los Alamos Site Office—which is responsible for overseeing physical security at LANL on a daily basis—may not have enough staff or the proper training for these staff to execute a fully effective security oversight program. Our report on physical security at LANL made three recommendations to the Secretary of Energy and the Administrator of 3 GAO, Los Alamos National Laboratory: Long-Term Strategies Needed to Improve Security and Management Oversight, GAO-08-694 (Washington, D.C.: June 13, 2008) and GAO, Information Security: Actions Needed to Better Protect Los Alamos National Laboratory’s Unclassified Computer Network, GAO-08-1001 (Washington, D.C.: Sept. 9, 2008). Page 2 GAO-08-1180T Security at DOE National Laboratories NNSA concerning long-term strategic security planning and the use of meaningful financial incentives for effective security performance. We believe these recommendations, if effectively implemented, would help further improve physical security at LANL and ensure that these improvements are sustained over the long term. Though our observations on physical security at Livermore are preliminary, the laboratory appears to be experiencing difficulties similar to LANL’s in sustaining physical security performance. In addition, Livermore’s self-assessment and performance assurance programs appear to need improvement. For example, Livermore and NNSA security officials acknowledged that a lack of comprehensive performance assurance testing was a significant contributing factor to the poor performance of Livermore’s protective forces during their April 2008 exercise. Finally, it appears that NNSA has not always provided effective security oversight of Livermore. Specifically, a 2007 NNSA security survey gave Livermore the highest possible rating on its security performance, differing markedly from what DOE observed during its evaluation in April 2008, only 6 months later. DOE identified multiple areas for significant improvement, and gave Livermore the lowest rating possible in two security performance areas. Our review of cyber security at LANL found that the laboratory has implemented measures to enhance its information security, but weaknesses remain in protecting the confidentiality, integrity, and availability of information on its unclassified network.4 LANL’s unclassified network contains sensitive information, such as unclassified controlled nuclear information, export control information, and personally identifiable information about laboratory employees. LANL has implemented a network security system that is capable of detecting potential intrusions; however, we found vulnerabilities in several critical areas, including identifying and authenticating users; encrypting sensitive information; and monitoring and auditing compliance with security policies. For example, LANL has implemented strong authentication measures for accessing its unclassified network, but once access is initially gained, a user can work around the authentication measures to access certain sensitive information. A key reason for LANL’s information security weaknesses is that the laboratory has not fully implemented an 4 We are currently reviewing information security controls over LANL’s classified network for this Committee. Page 3 GAO-08-1180T Security at DOE National Laboratories information security program to ensure that controls are effectively established and maintained. For example, LANL’s most recent risk assessment for its unclassified network generally identified and analyzed vulnerabilities, but did not account for risks identified by the laboratory’s own internal vulnerability testing. Furthermore, we and other external security evaluators have reported concerns about LANL’s policies for granting foreign nationals—particularly those from countries classified as “sensitive” by DOE—access to the unclassified network. Finally, LANL cyber security officials told us that funding to address some of their security concerns with respect to the laboratory’s unclassified network has been inadequate. NNSA officials told us LANL has not adequately justified its request for additional funds, and NNSA is developing a process for developing cyber security budgets more systematically. We made 52 recommendations to the Secretary of Energy and the Administrator of NNSA that, if effectively implemented, would improve LANL’s information security program and controls over its unclassified network. These recommendations address, among other things, ensuring that LANL’s risk assessment for its unclassified network evaluates all known vulnerabilities and is revised periodically, and strengthening policies with a view toward further reducing, as appropriate, foreign nationals’ access to the unclassified network. Background A basic management objective for any organization is to protect the resources that support its critical operations from unauthorized access, use, destruction, or disruption. Organizations accomplish this objective by designing and implementing controls that are intended to, among other things, prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. At LANL, these assets include Category I special nuclear material, such as plutonium and highly enriched uranium;5 thousands of classified nuclear weapons parts and components; millions of classified documents; thousands of pieces of classified removable electronic media that contain nuclear weapon design information;6 over 100 vaults and vault-type rooms that store classified assets; and computer networks and the hardware on which these 5 Special nuclear material is considered to be Category I when it is weapons-grade, such as plutonium and highly enriched uranium, and occurs in specified forms and quantities. 6 Some classified documents and pieces of removable electronic media, such as CDs and thumb drives, pose a security risk that requires maintenance of an accountability system to prevent unauthorized access or removal. Page 4 GAO-08-1180T Security at DOE National Laboratories networks run that protect classified information as well as sensitive unclassified information. LANL is subject to a series of DOE security orders that outline requirements for implementing effective physical and cyber security protection strategies. These orders include an assessment of the potential size and capabilities of terrorist forces that could physically attack a laboratory and against which a laboratory must be prepared to defend. The orders further describe different levels of physical protection for sensitive and classified assets, depending on the risk they would pose if they were lost, stolen, or otherwise compromised. Appropriate physical protection safeguards include locks and keys, fences, means to detect unauthorized entry, perimeter alarms, vehicle barriers, and armed guards. In addition, the Congress enacted the Federal Information Security Management Act (FISMA) in December 2002 to strengthen the security of information and information systems across the federal government.7 FISMA requires each agency to develop, document, and implement an agencywide information security program that supports the operations and assets of the agency, including those provided or managed by another agency or contractor on its behalf. Examples of appropriate information security controls include user identification and authentication that allow computer systems to differentiate between users and verify their identities; cryptography that ensures the confidentiality and integrity of critical and sensitive information; configuration management that identifies and manages security features for all hardware, software, and firmware components of an information system and controls changes to them; and audit and monitoring controls that help establish individual accountability and monitor compliance with security policies. LANL is managed and operated by a corporate entity, Los Alamos National Security LLC (LANS).8 NNSA’s Los Alamos Site Office serves as the primary federal overseer of laboratory security performance. Annually, the Site Office determines how much money LANS will earn for its 7 FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2946 (Dec. 17, 2002). 8 LANS has been the management and operating contractor of LANL since June 2006. LANS is made up of the University of California, Bechtel National, Washington Group International, and BWX Technologies (which now operates under the name The Babcock & Wilcox Company). Page 5 GAO-08-1180T Security at DOE National Laboratories management of the laboratory according to a maximum available performance-based fee established in the laboratory’s contract. The Site Office bases its determination on the laboratory’s success in meeting the goals laid out in performance evaluation plans. These plans allocate portions of the maximum available performance award fee to NNSA performance objectives, including measures related to both physical and cyber security. In addition, two DOE organizations are required to periodically review physical and cyber security at LANL. NNSA’s Los Alamos Site Office is required to conduct security surveys annually. These surveys are based on observations of performance, including compliance with DOE and NNSA security directives. In fiscal year 2008, the results of this survey are directly tied to NNSA’s performance evaluation plan, and are therefore a factor in LANS’ ability to earn the maximum available performance award fee. DOE’s Office of Independent Oversight also conducts evaluations, typically every 18 months for facilities that store Category I special nuclear material. These evaluations identify weaknesses in the laboratories’ security programs and produce findings that laboratory officials must take action to correct. The reviews overlap substantially, but each is required to provide a comprehensive assessment of the laboratory’s security programs. Page 6 GAO-08-1180T Security at DOE National Laboratories While Physical Security at Los Alamos National Laboratory Has Improved, Management Approaches to Sustain Security Improvements Are in the Early Stages of Development or Contain Weaknesses Physical security at LANL is in a period of significant improvement, and LANL is implementing over two dozen initiatives to reduce, consolidate, and better protect its classified assets, as well as reduce the physical footprint of the laboratory by closing unneeded facilities. LANL officials believe that these initiatives will reduce the risk of incidents that can result in the loss of control over classified assets. For example, to reduce and consolidate classified assets and its physical footprint, as of March 2008, LANL had (1) reduced from nine to one the number of areas containing Category I special nuclear material; (2) reduced the amount of accountable classified removable electronic media from 87,000 pieces to about 4,300 and made information previously accessible on removable media available only through the laboratory’s classified computer network; (3) eliminated about 30,000 classified nuclear weapon parts; and (4) reduced the number of vault-type rooms from 142 to 111. In addition, during fiscal year 2007, LANL reduced the physical footprint of existing facilities by over 500,000 square feet. In concert with these actions, LANL is implementing a series of engineered and administrative controls to better protect and control classified assets, 9 such as removing the functions from classified computers that enable them to create new pieces of removable electronic media and streamlining physical security procedures to make them easier to implement across the laboratory. We found that DOE’s Office of Independent Oversight and the Los Alamos Site Office identified significant physical security problems at LANL that the laboratory had not fully addressed. Specifically, while LANL’s storage of classified parts in unapproved storage containers and its process for ensuring that actions to correct identified security deficiencies have been cited in external security evaluations for years, complete security solutions in these areas had not yet been implemented at the time of our review. In addition, external security evaluations had repeatedly identified concerns about the adequacy of LANL’s assessments of its own security performance. The security self-assessment program provides LANL with the opportunity to self-identify security deficiencies and address them before they can be exploited. External security evaluations found that LANL’s self-assessments were not comprehensive and did not include discussions of all internal findings. These evaluations also noted that findings identified through self-assessments were not always analyzed and 9 Engineered controls are system-based controls that manage work processes and prevent employees from taking inappropriate action. Administrative controls are typically policies or procedures that govern the handling of classified resources. Page 7 GAO-08-1180T Security at DOE National Laboratories addressed through corrective actions. At the time of our review, Los Alamos Site Office and DOE Office of Independent Oversight officials noted that LANL’s self-assessment program was improving. LANL officials identified three management approaches that they asserted would sustain security improvements over the long term. However, these approaches were either in an early stage of development or contained important weaknesses that may impair their ability to ensure the sustainability of security improvements at the laboratory for the foreseeable future. First, LANL officials identified completing the management actions required by the Secretary of Energy’s Compliance Order issued as a result of the October 2006 thumb drive incident as an approach to ensure that security improvements are sustained, yet the Compliance Order itself does not provide a mechanism to sustain security improvements over the long-term.10 Second, LANL officials told us they will track the implementation of longer-term actions, including those required by the Compliance Order, by developing and implementing the Contractor Assurance System required under the LANS contract.11 However, the extent to which LANL can rely on the Contractor Assurance System to ensure the long-term sustainability of security improvements is unclear. According to a Los Alamos Site Office official, the Contractor Assurance System will not be fully completed for 3 to 4 years and, thus, will not be fully implemented by the time actions under the Compliance Order are completed. Finally, according to LANL officials, the laboratory plans to realize security improvements by meeting the security-related performance incentives in the annual performance evaluation plans NNSA uses to measure performance and determine an award fee for LANS. However, the annual performance evaluation plans focus principally on 10 The Secretary of Energy has authority under 10 C.F.R. § 824.4(b) of DOE’s Procedural Rules for the Assessment of Civil Penalties for Classified Information Security Violations to issue compliance orders that direct management and operating contractors to take specific corrective actions to remediate deficiencies that contributed to security violations. On July 12, 2007, the Secretary of Energy issued a compliance order to LANS as a result of the security incident discovered in October 2006. The Compliance Order directs LANS to take comprehensive steps to ensure that it identifies and addresses critical classified information and cyber security deficiencies at LANL. Violation of the Compliance Order would subject LANS to civil penalties of up to $100,000 per violation per day until compliance is reached. 11 The Contractor Assurance System is intended to be a tool to increase accountability and improve laboratory management and performance. According to a LANL official, the Contractor Assurance System is an integrated performance-based management system that is available as a tool for federal oversight. Page 8 GAO-08-1180T Security at DOE National Laboratories compliance with DOE requirements and do not sufficiently reward security program improvement. In that regard, according to a senior NNSA security official, compliance with current DOE requirements does not assure that LANL’s security program is functioning effectively. Indeed, we found that all but $30,000 of the total $1.43 million fiscal year 2008 performance fee allocated to physical security was associated with LANL’s achievement of compliance-oriented milestones, such as issuing plans, publishing policies, and completing equipment maintenance requirements. The management attention dedicated to improving physical security following the October 2006 thumb drive incident mirrors the level of attention that followed LANL’s 2004 shutdown, when over 3,400 safety and security deficiencies were identified for correction. This shutdown lasted up to 10 months for some laboratory activities and cost as much as $370 million.12 Given how quickly LANL’s security performance declined between the full resumption of laboratory activities in May 2005 and the discovery of the thumb drive on private property, LANL’s ability to sustain the improved security posture it has recently achieved is unproven. Strong federal oversight will help ensure that these improvements are sustained. However, we reported that the Los Alamos Site Office suffers from a shortage of security personnel and lacks funding needed for training. Specifically, as of October 2007, the Los Alamos Site Office employed 13 security staff—enough for 1 person to oversee each of the topical areas the Site Office had to evaluate. This staffing level, officials said, was sufficient to cover only 15 percent of LANL’s facilities. In April 2008, a senior security official at the Site Office said security staffing levels had decreased since October 2007. Furthermore, while NNSA had identified the need to train and certify Site Office security personnel in specific subject matters, according to Site Office officials no specific training funds had been made available. We made three recommendations to the Secretary of Energy and the Administrator of NNSA that, if effectively implemented, will improve physical security at LANL and help ensure that improvements LANL has achieved are sustained over the long term. Specifically, we recommended that LANL be required to develop a comprehensive strategic plan for laboratory security that addresses all previously identified security 12 GAO, Stand-Down of Los Alamos National Laboratory: Total Costs Uncertain; Almost All Mission-Critical Programs Were Affected but Have Recovered, GAO-06-83 (Washington, D.C.: Nov. 18, 2005). Page 9 GAO-08-1180T Security at DOE National Laboratories weaknesses and focuses on improving security program effectiveness. Furthermore, we recommended that NNSA provide meaningful financial incentives in future performance evaluation plans for implementation of this comprehensive strategic plan for laboratory security. In June 2008, the Committee requested that we review the security status at Livermore. This request came as a result of an evaluation by DOE’s Office of Independent Oversight in April 2008, in which Livermore received the lowest possible ratings for protective force performance and for physical protection of classified resources. The evaluation also identified issues in other areas, such as security sensors and alarms, and security program management. We are currently verifying the findings of the evaluation and Livermore’s actions to correct security deficiencies. Specifically: Preliminary Observations on Physical Security at Lawrence Livermore National Laboratory • Self-assessment and performance assurance testing programs at Livermore need improvement. DOE’s Office of Independent Oversight evaluations and Livermore Site Office security surveys found shortcomings in Livermore’s fiscal year 1999, 2000, 2002, and 2008 selfassessment programs. In addition, Livermore and NNSA security officials acknowledged that a lack of comprehensive performance assurance testing was a significant contributing factor to the poor performance of Livermore protective forces during their April 2008 exercise. Between December 2006 and April 2008, Livermore did not hold an integrated performance assurance test of its protective forces or operationally test equipment key to the laboratory’s protective strategy. During our visit to the laboratory 2 weeks ago, Livermore officials told us they are finalizing corrective action plans to address deficiencies in their performance assurance and self-assessment programs and have already conducted a significant number of performance assurance tests with the protective force and on equipment since the completion of the Office of Independent Oversight’s 2008 evaluation. • NNSA and the Livermore Site Office have not always provided effective security oversight. Six months before the Office of Independent Oversight’s 2008 evaluation, the 2007 Livermore Site Office’s annual security survey gave the laboratory a 100-percent satisfactory rating on its security performance, the highest possible rating. The results of the Office of Independent Oversight inspection not only differed markedly, but also found that the Livermore Site Office survey was not comprehensive and the ratings provided did not reflect what was actually observed. The Livermore Site Office is currently in the process of fundamentally Page 10 GAO-08-1180T Security at DOE National Laboratories rebuilding and restructuring its survey program and has embarked on a training program for its security personnel. Though our observations are preliminary, Livermore appears to be experiencing difficulties similar to LANL’s in sustaining physical security performance. For example, in 1999, DOE’s Office of Independent Oversight identified significant weaknesses in Livermore’s programs to secure the laboratory’s Category I special nuclear material facility against a potential terrorist attack. Livermore then embarked on a major program to improve security and, according to the Office of Independent Oversight, addressed most issues by 2002. This improved level of security performance appears to have been sustained through 2006. Between December 2006—when Livermore’s protective force performed well in an exercise—and April 2008, security performance at Livermore declined. In response to the negative results of the 2008 Office of Independent Oversight evaluation, Livermore appears to be refocusing management attention on security performance. While our work is preliminary, we believe the actions taken by Livermore, the Livermore Site Office, and NNSA, if and when fully implemented, will address identified physical security issues. However, just as at LANL, sustaining attention on physical security performance will continue to be a challenge. Los Alamos National Laboratory Has Implemented Measures to Enhance Cyber Security on Its Unclassified Network, but Weaknesses Remain LANL has implemented measures to enhance its cyber security, but weaknesses remain in protecting the confidentiality, integrity, and availability of information on its unclassified network. In particular, LANL has implemented a network security system that is capable of detecting potential intrusions on the network. However, LANL has vulnerabilities in several critical areas, including (1) identifying and authenticating users of the network, (2) encrypting sensitive information, (3) monitoring and auditing compliance with security policies, (4) controlling and documenting changes to a computer system’s hardware and software, and (5) restricting physical access to computing resources. For example, although LANL had implemented strong authentication measures for accessing the network, these measures were not always used. Once a user successfully accessed the network, the user could create a separate, simple password that would allow alternative access to certain sensitive information. Furthermore, LANL neither conducted comprehensive vulnerability scans of the unclassified network nor included sensitive applications in these scans, thus leaving the network at increased risk of compromise or disruption. In addition to these weaknesses, LANL’s Page 11 GAO-08-1180T Security at DOE National Laboratories computing facilities had physical security weaknesses and could be vulnerable to intentional disruption. Specifically, we observed lax restriction of vehicular traffic entering the laboratory and inadequate fencing. A key reason for the information security weaknesses we identified is that LANL has not yet fully implemented an information security program to ensure that controls are effectively established and maintained. Although LANL has implemented a security awareness training program, we identified a number of shortcomings in its overall information security management program. For example, (1) its risk assessment was not comprehensive, (2) specific guidance was missing from policies and procedures, (3) the network security plan was incomplete, (4) system testing had shortcomings, (5) remedial action plans were incomplete and corrective actions were not always timely, and (6) the network contingency plan was incomplete and inadequately tested. Until LANL ensures that the information security program associated with its unclassified network is fully implemented, it will have limited assurance that sensitive data are adequately protected against unauthorized disclosure or modification or that network services will not be interrupted. Many of LANL’s cyber security deficiencies have been the subject of prior evaluations conducted by DOE’s Office of Independent Oversight and the Los Alamos Site Office. The most recent reports, covering fiscal years 2006 and 2007, documented significant weaknesses with LANL’s unclassified information security program, including foreign nationals’ access to the laboratory’s unclassified network. As of May 2008, LANL had granted unclassified network access to 688 foreign nationals, including about 300 from countries identified as sensitive by DOE, such as China, India, and Russia.13 In addition, foreign nationals from sensitive countries have been authorized remote access to LANL’s unclassified network. The number of foreign nationals who have access to the unclassified network has raised security concerns among some laboratory and NNSA officials because of the sensitive information contained on the network. According to LANL, the percentage of foreign nationals with authorized remote access to the unclassified network has steadily declined over the last 5 years. 13 DOE identifies countries as sensitive based on national security, nuclear nonproliferation, or terrorism concerns. Page 12 GAO-08-1180T Security at DOE National Laboratories NNSA and LANL have not agreed on the level of funding necessary for protecting the unclassified network. From fiscal years 2001 through 2007, LANL spent $51.4 million to protect and maintain its unclassified network. Although LANL cyber security officials told us that funding has been inadequate to address some of their security concerns, NNSA officials raised questions about the basis for LANL’s funding request for cyber security. NNSA’s Chief Information Officer told us that LANL has not adequately justified requests for additional funds to address the laboratory’s stated shortfalls. In addition, NNSA officials informed us that LANL’s past budget requests were prepared on an ad hoc basis and were not based on well-defined threat and risk assessments. In response to these concerns, in fiscal year 2006, NNSA implemented a more systematic approach to developing cyber security budgets across the nuclear weapons complex, including LANL. This effort, however, does not provide guidance that clearly lays out funding priorities. Furthermore, NNSA does not consistently document resource allocation decisions and identify how funding shortfalls affect critical cyber security issues. To help strengthen information security controls over LANL’s unclassified network, we made a series of recommendations to the Secretary of Energy and the Administrator of NNSA, 11 of which focus on improving LANL’s information security program and determining resource requirements for the unclassified network. For example, we recommended that the Secretary of Energy and the NNSA Administrator require the Director of LANL to, among other things, (1) ensure that the risk assessment for the unclassified network evaluates all known vulnerabilities and is revised periodically and (2) strengthen policies with a view toward further reducing, as appropriate, foreign nationals’ access to the unclassified network, particularly those from countries identified as sensitive by DOE. We made an additional 41 recommendations in a separate report with limited distribution. These recommendations consist of actions to be taken to correct the specific information security weaknesses related to identification and authentication, cryptography, audit and monitoring, configuration management, and physical security that we identified. Mr. Chairman, this concludes our prepared statement. We would be happy to respond to any questions that you or Members of the Subcommittee may have at this time. Page 13 GAO-08-1180T Security at DOE National Laboratories GAO Contacts and Staff Acknowledgements For further information on this testimony, please contact Gene Aloise at (202) 512-3481 or aloisee@gao.gov; Nabajyoti Barkakati at (202) 512-6412 or barkakatin@gao.gov; and Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Jonathan Gill, Ed Glagola, Jeff Knott, and Glen Levis, Assistant Directors; Allison Bawden; Preston Heard; Tom Twambly; Ray Rodriguez; John Cooney; Carol Herrnstadt Shulman; and Omari Norman made key contributions to this testimony. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. (361011) Page 14 GAO-08-1180T Security at DOE National Laboratories This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select “E-mail Updates.” Order by Mail or Phone The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, DC 20548 To order by Phone: Voice: TDD: Fax: (202) 512-6000 (202) 512-2537 (202) 512-6061 To Report Fraud, Waste, and Abuse in Federal Programs Contact: Congressional Relations Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548 Public Affairs Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470 PRINTED ON RECYCLED PAPER